Authentication and Authorization
In order to use our service, a developer needs to do the following:
- Navigate to http://pathfinder.io.
- Register a new account with Pathfinder.
- Create a Pathfinder application and receive an API key.
- Provide an OpenID Connect signature verifying public key to the Pathfinder application.
Note, dashed lines are HTTP requests and solid lines are socket requests.
First, the developer of the application must set the application's global permissions to allow all requests. In easy authentication flow, the developer sends the Pathfinder server the API key, application ID, cluster ID, and a signed OpenID Connect compatible JWT (different for each end-user) to open a socket. Both the API key and application ID are created when the application is created. When the request is sent the OpenID Connect JWT is verified with the provided public and a response is generated. The requested action will be performed if the user is allowed.
Note, dashed lines are HTTP requests and solid lines are socket requests.
First, the developer of the application must set the application's global permissions to deny all requests. In the hardcore authentication flow, the developer's server is the only place the API key is known. The developer must first verify the end-users request for Pathfinder access. The developer's server then uses their API key, application ID, and a signed OpenID Connect compatible JWT (different for each end-user) to set user permissions. The permissions only have to be set once. The developer's server then uses their API key, application ID, and a signed OpenID Connect compatible JWT to request a user key that expires. The user key is then sent to the user. A user may then request a socket with a user key, an application ID, the signed JWT, and a cluster ID. When the request is sent the OpenID Connect JWT is verified with the provided public and a response is generated. The requested action will be performed if the user has permission.
A developer can tailor the easy and hardcore authentication flows for your service. A developer is free to allow anyone to create commodities, but require user level permissions for creating vehicles. These permissions may be intermixed. The global permissions are first checked and then the user permissions if either allow access the user has access.
In the future we will remove the requirement of a back-end server offering authenticate users. We will add a service to authenticate users using Google's authentication services.